Nssm-2.24 Exploit May 2026

A sysadmin runs:

However, NSSM 2.24 mitigates this partially by calling SetDllDirectory("") and using fully qualified paths for system DLLs. No public, reliable exploit chain exists for DLL hijacking in 2.24 itself unless the user overrides environment variables. nssm-2.24 exploit

nssm install MyService C:\tools\legacy_app.exe If the admin does not explicitly set nssm set MyService ObjectName NT AUTHORITY\LocalService , the service runs as LocalSystem (high privilege). An attacker with SERVICE_CHANGE_CONFIG access (sometimes granted to Users group on misconfigured systems) can change the binary path to cmd.exe /c net user hacker P@ssw0rd /add . A sysadmin runs: However, NSSM 2

Look for (A;;RPWPCCDCLCSWRCWDWOGA;;;AU) – that grants Authenticated Users change config rights. Remove with: A sysadmin runs: However